Hi! This is very much an RFC series, but I wanted to make sure it actually worked before I proposed it. This series seeks to give kfree() the side-effect of assigning NULL to the kfree() argument when possible. This would make a subset of "dangling pointer" flaws turn into NULL derefs instead of Use-After-Free[1]. It effectively turns: kfree(var); into: kfree(var); var = NULL; when "var" is actually addressable. (i.e. not "kfree(get_ptrs())" etc.) It depends on a builtin, __builtin_is_lvalue(), which is not landed in any compiler yet, but I do have it working in a Clang patch[2]. This should be essentially free (pardon the pun), so I think if folks can tolerate a little bit of renaming needed for when kfree is needed as a function and not a macro, it should be good. Please let me know what you think. Thanks! -Kees (Yes, I'm still working on the kmalloc_objs() series, but I needed to take a break from fixing all the allocation corner cases I've found there.) [1] https://github.com/KSPP/linux/issues/87 [2] https://github.com/kees/llvm-project/commits/builtin_is_lvalue/ Kees Cook (5): treewide: Replace kfree() casts with union members treewide: Prepare for kfree() to __kfree() rename compiler_types: Introduce __is_lvalue() slab: Set freed variables to NULL by default [DEBUG] slab: Report number of NULLings arch/mips/alchemy/common/dbdma.c | 2 +- include/linux/compiler_types.h | 10 ++++++++++ include/linux/netlink.h | 1 + include/linux/slab.h | 33 ++++++++++++++++++++++++++++++-- include/net/pkt_cls.h | 5 ++++- io_uring/futex.c | 2 +- io_uring/io_uring.c | 12 ++++++------ kernel/bpf/core.c | 3 ++- mm/slab_common.c | 12 ++++++++---- mm/slub.c | 6 +++--- net/sched/ematch.c | 2 +- net/wireless/nl80211.c | 2 +- 12 files changed, 69 insertions(+), 21 deletions(-) -- 2.34.1
